Different Services, Different Realms, but One Host
Sam Hartman
hartmans at MIT.EDU
Tue Mar 9 12:08:32 EST 2004
>>>>> "ms419" == ms419 <ms419 at freezone.co.uk> writes:
ms419> Pardon this newbish question, but here's the setup: I want
ms419> to distribute the keys for one host among two
ms419> realms. Basically, I've got a sensitive service running on
ms419> a couple of hosts, and a less secure service running on the
ms419> same hosts. I want to store the keys for the sensitive
ms419> service in one realm, and the keys for the others in
ms419> another. Any problems with these premises?
Yes. Current Kerberos implementations assume a host belongs to one
realm. You'll find it difficult to actually do this.
Also, users will end up having multiple passwords which will be
annoying.
I recommend having one KDC which is more secure than your most
sensitive service.
More information about the Kerberos
mailing list